diff --git a/debian/certs/debian-uefi-ca.pem b/debian/certs/debian-uefi-ca.pem
new file mode 100644
index 000000000..315301e73
--- /dev/null
+++ b/debian/certs/debian-uefi-ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIRAO1UodWvh0iUjZ+JMu6cfDQwDQYJKoZIhvcNAQELBQAw
+IDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MDkx
+OFoXDTQ2MDgwOTE4MDkxOFowIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnZXUi5vaEKwuyoI3
+waTLSsMbQpPCeinTbt1kr4Cv6maiG2GcgwzFa7k1Jf/F++gpQ97OSz3GEk2x7yZD
+lWjNBBH+wiSb3hTYhlHoOEO9sZoV5Qhr+FRQi7NLX/wU5DVQfAux4gOEqDZI5IDo
+6p/6v8UYe17OHL4sgHhJNRXAIc/vZtWKlggrZi9IF7Hn7IKPB+bK4F9xJDlQCo7R
+cihQpZ0h9ONhugkDZsjfTiY2CxUPYx8rr6vEKKJWZIWNplVBrjyIld3Qbdkp29jE
+aLX89FeJaxTb4O/uQA1iH+pY1KPYugOmly7FaxOkkXemta0jp+sKSRRGfHbpnjK0
+ia9XeQIDAQABo4HSMIHPMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAoYlaHR0
+cHM6Ly9kc2EuZGViaWFuLm9yZy9zZWN1cmUtYm9vdC1jYTAfBgNVHSMEGDAWgBRs
+zs5+TGwNH2FJ890n38xcu0GeoTAUBglghkgBhvhCAQEBAf8EBAMCAPcwEwYDVR0l
+BAwwCgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8w
+HQYDVR0OBBYEFGzOzn5MbA0fYUnz3SffzFy7QZ6hMA0GCSqGSIb3DQEBCwUAA4IB
+AQB3lj5Hyc4Jz4uJzlntJg4mC7mtqSu9oeuIeQL/Md7+9WoH72ETEXAev5xOZmzh
+YhKXAVdlR91Kxvf03qjxE2LMg1esPKaRFa9VJnJpLhTN3U2z0WAkLTJPGWwRXvKj
+8qFfYg8wrq3xSGZkfTZEDQY0PS6vjp3DrcKR2Dfg7npfgjtnjgCKxKTfNRbCcitM
+UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr
+7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV
+305gdrAGewiwbuNknyFWrTkP
+-----END CERTIFICATE-----
diff --git a/debian/changelog b/debian/changelog
index 3f022c870..9678f22dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,7 @@ linux (4.18~rc7-1~exp1) UNRELEASED; urgency=medium
   [ Ben Hutchings ]
   * certs: Remove certificates for test key used in Debian signing service and
     for my personal signing key
+  * certs: Add certificate for production key used in Debian signing service
 
  -- Uwe Kleine-König <ukleinek@debian.org>  Sat, 21 Jul 2018 16:52:01 +0200
 
diff --git a/debian/config/config b/debian/config/config
index 441d1c4f5..e21b53aea 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -71,7 +71,7 @@ CONFIG_EFI_PARTITION=y
 #. Signatures are added in linux-signed
 CONFIG_MODULE_SIG_KEY=""
 #. Actually a file containing X.509 certificates, not keys
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-ca.pem"
 
 ##
 ## file: crypto/Kconfig
diff --git a/debian/config/featureset-rt/config b/debian/config/featureset-rt/config
index 2b12da895..7c7989648 100644
--- a/debian/config/featureset-rt/config
+++ b/debian/config/featureset-rt/config
@@ -2,7 +2,7 @@
 ## file: certs/Kconfig
 ##
 #. Certificate paths are resolved relative to debian/build/source_rt
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-ca.pem"
 
 ##
 ## file: kernel/Kconfig.preempt